Last month we wrote about practical steps that APRA-regulated entities can take with third parties who manage their information assets so that they comply with APRA’s mandatory Prudential Standard CPS 234 (Information Security) (CPS 234) by 1 July 2020.

APRA has since announced that, in light of COVID-19, it “will consider requests for a six-month extension [to 1 January 2021] by regulated entities on a case-by-case basis”.  To apply for such an extension, an entity must “advise APRA of the nature of their third party arrangements, and how they are monitoring the risks associated with these arrangements”, particularly in light of the elevated cybersecurity risk presented by COVID-19.

APRA also advised in that announcement that it has deferred the commencement date for some other Prudential Standards and Policies, as follows:

Source: https://www.apra.gov.au/news-and-publications/apra-announces-new-commencement-dates-for-prudential-and-reporting-standards

You can find our article with information to comply with CPS 234 generally, here.


Authors: Claire Arthur and Lesley Sutton.

Expertise Area